DDD Invoices Data Processing Agreement v.2.0.

- effective from January 29, 2026

PLEASE READ THIS DATA PROCESSING AGREEMENT CAREFULLY. THIS DATA PROCESSING AGREEMENT GOVERNS THE TRANSFER AND PROCESSING OF PERSONAL DATA BY THE PROVIDER ON BEHALF OF THE USER AND IN CONNECTION WITH THE USERS USE OF THE DDD Invoices SERVICE. BY SETTING UP AN ACCOUNT AND CLICKING [SIGN UP] OR USING ANY OF THE DDD Invoices SERVICES WHICH DO NOT REQUIRE REGISTRATION, YOU AGREE TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND BY THIS AGREEMENT, YOU MAY NOT ACCESS OR INTERACT WITH THE DDD Invoices SERVICE.

PREAMBLE AND INTRODUCTORY REMARKS

This DDD Invoices Data Processing Agreement and its Appendices (hereinafter: “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by the Provider (as the Processor) on behalf of the User (as the Controller) in connection with the Users’ use of the DDD Invoices Service, whereby all bolded terms are further defined below.

This DPA is supplemental to, and forms an integral and indispensable part of the DDD Invoices Terms of Service (hereinafter: “Terms” or “Agreement”) published on https://dddinvoices.com/terms-and-conditions, which apply to and govern the setting-up, use and access of the DDD Invoices Service.

This DPA is effective from the moment that the Provider and User enter into the Agreement as described in point 1.1. of said Agreement.

If you do not agree to the terms and clauses of this DPA or the Agreement, you are not authorised to validly register an account with us or authorised for using any of the DDD Invoices Services which do not require registration and accessing or using the DDD Invoices Service, you must immediately stop doing so.

In case of any conflict or inconsistency between the terms and clauses of this DPA and the terms and clauses of the Agreement, this DPA will take precedence over the terms and clauses of the Agreement to the extent of such conflict or inconsistency.

Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

All enquiries regarding this DPA may be directed at [email protected].

1. THE APPLICATION OF THIS DPA

By setting up an account and clicking [I agree] or using any of the DDD Invoices Services which do not require registration as described in point 1.1. of the Agreement, this DPA is deemed as validly concluded between:
- DDD Invoices, elektronsko fakturiranje, d.o.o., Letališka cesta 32J, 1000 Ljubljana, Slovenia, company reg. no.: 9366288000, VAT ID no.: SI 61609820 (owned by DDD Invoices LTD, with a registered office at 71–75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ, company number 15647926, the owner and supplier of the DDD Invoices Service (https://app.dddinvoices.com/) and the https://dddinvoices.com/ website (hereinafter: “we”, “us”, “our” “Processor”) who can be reached at: [email protected],
- and you (hereinafter: “you”, “your”, “User” or “Data Processor”) the legal entity that shall be identified as the registered user of the Service when you, the duly authorised individual representing said entity, register an account (i.e. perform the actions from point 1.1. of the Agreement in the name the company you represent) is bound to the Agreement and this DPA. The aforementioned also relates to any and all Permitted Users, Personnel and User Affiliates.
Before your use of the Service, you are asked to dully review, understand and get acquainted with the content of both this DPA and the Agreement.
Any reference to this DPA includes its Appendices.

2. CHANGES

We may make changes to this DPA at any time by notifying you of the change by email or by posting a notice on the https://dddinvoices.com/ website. Unless stated otherwise, any change takes effect from the date set out in the notice. You are responsible for ensuring you are familiar with the last version of this DPA. By continuing to access and use the DDD Invoices Service and the https://dddinvoices.com/ website from the date on which this DPA is changed, you agree to be bound by the changed DPA.
If you do not agree to the changes, you must notify us immediately whereby we shall proceed with terminating your account and ceasing any and all Data Processing and returning / destroying all Personal Data to you as per the applicable clauses of the Agreement and this DPA.
This DPA was last updated on the 29th of January, 2026.

3. INTERPRETATION

In this DPA all of the bolded terms shall have the same meaning as the defined terms from the Agreement, with the added inclusion of the following terms:

Agreement (also called Terms) shall mean the DDD Invoices Terms of Service published on https://dddinvoices.com/terms-and-conditions, which apply to all websites and services that are represented by the DDD Invoices (unregistered) trademark and govern the setting-up, use and access of the DDD Invoices Service and the https://dddinvoices.com/ website and under which certain Personal Data needs to be processed in accordance with this DPA.

DDD Invoices Data Processing Agreement (also called DPA) shall mean this legal agreement that you shall simultaneously enter into together with the Agreement when performing the actions from point 1.1. of the Agreement, and under which the Provider shall be deemed as the Processor and you shall be deemed as the Controller of any and all Personal Data that shall be sent, transmitted or transferred to the Provider directly or through the use of the DDD Invoices Service or the https://dddinvoices.com/ website for the performance of the Service by you or any third party. This DPA forms a supplemental, integral and indispensable part of the Agreement and your use of the DDD Invoices Service and the https://dddinvoices.com/ website, whereby this DPA is subject to the provisions of Article 28 of the GDPR.

Controller Personal Data shall mean any End User Personal Data or any other Personal Data, that the Provider or Subprocessor Processes or shall Process pursuant to or in connection with the Agreement.

Data processing (also Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In the context of this DPA, the Provider shall Process the End User Data for which the User is deemed as the Controller in order to provide the Service.

European Economic Area (also called EEA) shall mean the EU Member States and Iceland, Liechtenstein, and Norway.

End User Personal data shall mean personal data which relates to a natural or natural persons belonging to a legal person that interacts with the DDD Invoices Service as well as any Third party individual personal data.

Subprocessor (or Contracted Subprocessor) shall mean any person (including any third party and any Provider Affiliate, but excluding an employee of the Provider or any of its subcontractors) appointed by or on behalf of the Provider or any Provider Affiliate to Process Personal Data on behalf of the Provider in connection with the Agreement.

Standard contractual clauses shall mean the standard data protection clauses for the transfer of Personal Data to Processors established in countries outside of the EEA, where an adequate level of data protection with regards to the GDPR is not ensured on a national and systemic level, as described in Article 46 of the GDPR.

You (also your, User, Controller) shall mean the legal entity that shall be identified as the registered user of the Service when you, the duly authorised individual representing said entity, register an account (i.e. perform the actions from point 1.1. in the name the company you represent) is bound to this Agreement and the DDD Invoices Data Processing Agreement in accordance with the terms herein. The aforementioned also relates to any and all Permitted Users, Personnel, or your User Affiliates. In the context of this DPA you shall be deemed as the Processor of Personal Data.

User Affiliate shall mean in respect of the User and his legal entity, any other legal entity or private person controlling the User or being controlled by the User, or acting under the direct influence or instructions of the User, whereby “being controlled by” shall mean the possession, directly or indirectly, solely or jointly with another person, of power to direct or cause the direction of the management or policies and actions of a legal or natural person (whether through the ownership of securities, other shareholders, partnership or ownership interest, by establishing total or partial identity of individuals in management, by contract or otherwise).

Words in the singular include the plural and vice versa. Including and similar words do not imply any limit.

A reference to the Applicable legislation or statute includes references to regulations, orders or notices made under or in connection with such legislation, statute or regulations and all amendments, replacements or other changes to any of them.

4. CONTRACTUAL INTENT AND TERM

The Parties seek to implement this DPA in order to achieve compliance with the requirements with the Applicable legislation as it pertains to the Processing of Personal Data and especially Article 28 of the GDPR, which forms the basis under which this DPA is drafted and construed.
Notwithstanding any other provision relating to the term of this DPA, this DPA will take effect on the Star Date and shall remain in force until the Provider has deleted or returned all End User Personal Data to the Controller, whereby it shall be deemed as automatically terminated.

5. PROCESSING OF CONTROLLER PERSONAL DATA

Permitted scope of Processing.
The Provider shall:
- Process Controller Personal Data in order to provide the Service as stated in the Agreement or on the basis of relevant Controller’s documented instructions which shall be deemed as contained herein unless otherwise given to the Provider in writing,
- comply with any and all Applicable legislation in the Processing of Controller Personal Data,
- Process Controller Personal Data if Processing is required under the Applicable legislation to which the Provider or relevant Contracted Processor is subject, in which case the Provider shall, to the extent permitted under the Applicable legislation, inform the Controller of that legal requirement before the relevant Processing of such Personal Data takes place.
For the avoidance of doubt, the Provider shall only use the Controller Personal Data to provide the Service and shall not keep, retain, disclose, make available to third parties, sell or otherwise use the Controller Personal Data for any purpose other than for providing the Service under the Agreement as further described in Appendix 1.
The Controller instructs the Provider and each Provider Affiliate (and authorises the Provider and each Provider Affiliate to instruct each Subprocessor) to:
- Process Controller Personal Data as necessary for the provision of the Service as specified in Appendix 1,
- transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement if such territory is in the EEA, as specified in sections 8 and 14.
The Controller warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 5.3. for all Controller Personal Data and on behalf of each relevant Controller Affiliate.
Appendix 1 to this DPA sets out certain information regarding the Contracted Processors' Processing of the Controller Personal Data as required by Article 28 of the GDPR (and, possibly, equivalent requirements of other Applicable Legislation). The Controller may make reasonable amendments to Appendix 1 by written notice to Provider from time to time as Controller reasonably considers necessary to meet those requirements. Nothing in Appendix 1 (including as amended pursuant to this section 5.4) confers any right or imposes any obligation on any party to this DPA.

6. Provider and Provider Affiliate Personnel

The Provider and each Provider Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable legislation in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

7. Security and the keeping of records

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider and each Provider Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
The list of technical and organisational measures that the Provider and each Provider Affiliate offers the Controller under this DPA is included in Appendix 2.
Prior to concluding the Agreement and this DPA, the Controller is required to review and analyse the contents of Appendix 2 with regards to the technical and organisational measures and other security commitments which the Provider offers in connection with the provision of the Service.
In assessing the appropriate level of security, the Provider and each Provider Affiliate shall take into account the particular risks that are presented by Processing Personal Data and in particular the risk of a Personal Data Breach. The Controller understands and agrees that it is his sole responsibility to consider if the technical and organisational measures from Appendix 2 meet his security needs and obligations with regards to Controller Personal Data and the Applicable legislation.
Regarding the aforementioned, the Controller understand and agrees, that he is solely responsible for his use of the Service, and is asked to put in place and maintain his own technical and organisational measures, which must include industry level best practices such as:
- making copies (i.e. backing up) all Controller Personal Data prior to use with the Service,
- practising safe and secure usage of the Service and the user account / password and secure keeping of account authentication credentials,
- securing systems and devices which are used to access or interact with the Service.
The Provider and Provider Affiliate take no responsibility regarding the processing, storage and protection of Controller Personal Data outside of the Service and the subsystems connected to the Service (which includes but is not limited to the access and storage of Controller Personal Data on the servers of the Controller or a third party, the transferring of Controller Personal Data to third parties, the distribution of account authentication credentials to third parties, etc.).
The Controller understands and agrees that by concluding the Agreement and this DPA, the technical and organisational measures from Appendix 2 as well as other aspects of the security are deemed as appropriate with regards to the risk posed to Data Subjects.
To the best of his ability the Provider shall keep records (i.e. log files) regarding the Processing of Controller Personal Data, and shall ensure that the records are sufficient to meet the Controllers compliance requirements. The Provider shall also provide said records to the Controller upon his written request.

8. Subprocessing

The Controller specifically authorises and generally agrees with the Provider and each Provider Affiliate appointing and engaging Subprocessors in accordance with this section 8 and any restrictions in the Agreement.
The Provider and each Provider Affiliate may also continue to use those Subprocessors already engaged by the Provider or any Provider Affiliate at the Start Date, whereby the Provider and Provider Affiliate shall be in each case and as soon as practicable required to ensure that the obligations set out in this section 8. are met by such Subprocessors.
The list of Subprocessors, including details regarding their location and Processing functions is available in Appendix 2 of this DPA and may be updated from time to time by the Provider.
Regarding the Processing and subprocessing of Controller Personal Data, the Provider and any Provider Affiliate shall only appoint and engage Subprocessor through the conclusion of a data processing agreement containing all necessary data protection obligations, which shall offer the same level of data processing protection that can be found in this DPA, to the extent applicable to the nature of the Services provided by such Subprocessors.
Ten (3) business days prior to any Processing being carried out by a newly appointed Subprocessor, the Provider shall add such newly engaged Subprocessor to the list of Subprocessors. The parties hereby agree, that such method of notification is adequate with regards to the Controllers right to be notified prior to Subprocessor engagement.
Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor, he shall notify the Provider within ten (10) business days from the last day prior to the start of Processing as referred to in the previous point. After that, Processing by the Subprocessor shall be deemed as accepted by the Controller or Controller Affiliate.
Should the Controller or Controller Affiliate oppose the engagement and appointment of a new Subprocessor and notify the Provider regarding this (even after the period from the previous point), all data processing by such newly appointed Subprocessor shall cease and the parties shall seek to find an applicable solution in good faith. If the parties cannot agree on an applicable solution regarding the objection in a reasonable timeframe, the Controller may terminate the Agreement.
The Provider may be held liable for all obligations subcontracted to the Subprocessors, including their acts and omissions.

9. Data Subject Rights

Taking into account the nature of the Processing, the Provider and each Provider Affiliate shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers' obligations to respond to requests to exercise Data Subject rights under the GDPR and the Applicable legislation.
The Provider shall:
- promptly notify the Controller if any Contracted Processor receives a request from a Data Subject under the GDPR and the Applicable legislation in respect of Controller Personal Data; and
- ensure that the Contracted Processor does not respond to that request except on the documented instructions of the Controller or the relevant Controller Affiliate or as required under the GDPR and the Applicable legislation to which the Contracted Processor is subject, in which case the Provider shall to the extent permitted by Applicable legislation inform the Controller of that legal requirement before the Contracted Processor responds to the request.

10. Personal Data Breach

The Provider shall notify the Controller without undue delay upon the Provider or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allowing him to meet any obligations to report or inform the Data Subjects of the Personal Data Breach under the Applicable legislation.
The Provider shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11. Data Protection Impact Assessment and Prior Consultation

The Provider and each Provider Affiliate shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable legislation, in each case solely in relation to the Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Provider and the Contracted Processors.

12. Deletion or return of Controller Personal Data

Subject to points 12.2 and 12.3 the Provider and each Provider Affiliate shall promptly and in any event within 30 (thirty) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement) delete and procure the deletion of all copies of those Controller Personal Data, that are listed as being stored in Appendix 1,thereby permanently removing all copies and instances of such data in the Provider's systems. By notifying the Provider prior to termination of the Agreement, the Controller and Provider may also arrange for the transfer of such data to the Controller prior to deletion.
The Provider and each Contracted Processor may retain Controller Personal Data to the extent required by Applicable legislation and only to the extent and for such period as required by the Applicable legislation and always provided that the Provider and each Provider Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable legislation requiring its storage and for no other purpose.

13. Audit rights

Subject to sections 13.2 to 13.4, the Provider and each Provider Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Controller or the Contracted Processors.
Information and audit rights of the Controller only arise under section 13.1 to the extent that the Agreement does not otherwise give information and audit rights meeting the relevant requirements of the Applicable legislation (including Article 28 of the GDPR).
The Controller or the relevant Controller Affiliate undertaking an audit shall give the Provider or the relevant Provider Affiliate a notice at least fourteen (14) business days prior to any audit or inspection being conducted under this section 13 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Providers or Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The Provider or a Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and the Controller or the relevant Controller Affiliate undertaking an audit has given notice to the Provider or the relevant Provider Affiliate that this is the case before attendance outside those hours begins; or
- for the purposes of more than one audit or inspection, in respect of the Provider or each Contracted Processor, in any calendar year, except for any additional audits or inspections which:
  a) the Controller or the relevant Controller Affiliate undertaking an audit reasonably considers necessary because of genuine concerns as to Provider's or the relevant Provider Affiliate’s compliance with this DPA; or
  b) the Controller is required or requested to carry out by the Applicable legislation, a supervisory authority or any similar regulatory authority responsible for the enforcement of Applicable legislation in any country or territory.
The Provider shall, upon request also provide the Controller or the mandated auditor with documentation of implemented technical and organisational measures to ensure an appropriate level of security, and other information necessary to demonstrate the Provider's or the relevant Provider Affiliate’s or the Contracted Processor’s compliance with its obligations under this DPA and relevant Applicable legislation, but shall provide access to information concerning the Provider's or the relevant Provider Affiliate’s or the Contracted Processor’s other information subject to confidentiality obligations.

14. Transfer of Controller Personal Data to Countries Outside of the EEA

Transfer of Controller Personal Data to countries located outside of the EEA (if not previously mentioned hereunder) by transfer, disclosure or provision of access to data, may only occur in case of documented instructions from the Controller or Controller Affiliate.
By entering into this DPA, the Controller also grants the Provider the authority to enter into Standard contractual clauses on behalf of the Controller or the relevant Controller Affiliate, as they may be laid down by the European Commission or the applicable supervisory authority from time to time, in order to secure a valid legal basis for the transfer, disclosure or provision of access to data by Subprocessors outside of the EEA or international organisations. If the Controller is not the actual controller of the relevant Controller Personal Data, the Controller shall ensure such authorisation from the actual controller. Upon request, the Provider shall provide the Controller with a copy of such Standard contractual clauses or state such other valid legal basis for each transfer.
By entering into this DPA, the Controller further grants the Provider the authority to freely engage Subprocessors on behalf of the Controller or the relevant Controller Affiliate in connection with the provision of the Service, if such Subprocessors have duly undergone and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (i.e. the new EU-USA Data Privacy Framework as per the stated adequacy decision from the 10th of July 2023).

15. General Terms

15.1 Governing law and jurisdiction.

Without prejudice to any applicable Standard contractual clauses which may have been entered into on the basis of this DPA:

with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity, the parties to this DPA hereby agree to submit to the laws of the Republic of Slovenia, whereby the Controller or Controller Affiliate consents to the exclusive jurisdiction of the courts located in the Republic of Slovenia whereby the place of venue shall be Ljubljana, Slovenia; and
whereby the aforementioned laws, courts and venues shall be used regarding all non-contractual or other obligations arising out of or in connection with this DPA.

15.2. Order of precedence.

With regard to the subject matter of this DPA and in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

15.3. Liability.

Under or in connection with the Agreement, this DPA or any Standard contractual clauses which may have been concluded in connection with this DPA and regardless of the type of liability, the parties hereby agree, that the total combined liability of the Provider and the Provider Affiliate towards the Controller, the Controller Affiliate or towards both, shall be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.

The aforementioned shall not affect each parties liability to Data subjects under the GDPR or Applicable legislation or any Standard contractual clauses which may have been concluded in connection with this DPA so that such limitation of liability or liability cap would directly breach the GDPR or the Applicable legislation.

15.4. Severance.

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

List of Appendices (2/2):

Appendix 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE & THE LIST OF APPROVED SUBPROCESSORS
Appendix 2: LIST OF TECHNICAL AND ORGANISATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA

Appendix 1: DATA PROCESSING INSTRUCTIONS REGARDING THE PROCESSING OF CONTROLLER PERSONAL DATA IN CONNECTION WITH THE SERVICE & THE LIST OF APPROVED SUBPROCESSORS

This Appendix 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) of the GDPR:

Method and purpose of data collection
In order to provide the Service as it is set out in the Agreement:

the Controller may use the Service and make it available inside of his organisation so that his Workspace members may Input data or content (such as prompts, articles, files, documents, queries, questions, sentences), as the case may be, into the Service;
the Controller may input Controller Personal Data directly into the Service himself;

In both cases outlined above, the Provider is therefore instructed by the Controller under this DPA to collect, store and process the relevant End User Personal data so that the Service may deliver in automatically generated summaries or other Output data.

Categories of Data Subjects
The categories of Data Subjects whose Personal data may be Processed under this DPA are defined by the Controller and are as follows:

Controller's Workspace members (i.e. natural persons which had been granted access to the Service by the User or who use the Service on the basis of the implementation of the Service by the User within his organisation and which had been duly informed of the processing that the User conducts as a Controller in this regard as per the requirements from the Agreement and Article 13 of the GDPR);
other Data Subjects (i.e. Third party individuals such as other natural persons like document authors, persons cited in files or documents and/or natural persons who might be affected by or tied to the User's or Workspace members's use of the Service);

whereby the Controller expressly warrants to the Provider under the Agreement, that he had obtained the required consent for the processing of the Personal Data of any and all such Data Subjects.

Personal Data types and the subject-matter, nature and purpose of Processing
Subject to the Controller's use of the Service, the following Processing may be carried out by the Provider or his Subprocessors in order to provide each sought after feature of the Service:

Categories of Personal Data Processed	Description of Processing Activities	Purposes of Processing & Types of Processing
Invoice and transaction data (issuer/recipient identification data, contact person details, invoice metadata, line items, tax data, references, notes, technical invoice metadata)	Processing of invoice data submitted by the Client through the Service or via API integration, including generation, validation, transmission, storage, retrieval, and archiving of electronic invoices.	To provide electronic invoicing services in accordance with the Agreement and Client instructions, including invoice issuance, transmission, compliance with tax rules, auditability, and document integrity.
Business contact data (names, email addresses, phone numbers of contact persons of issuers/recipients, where included by the Client)	Inclusion of contact data within invoice documents and related communications strictly as provided by the Client.	To enable correct identification of invoice parties and facilitate invoice-related communication initiated by the Client.
Technical and operational data (IP addresses, API credentials, authentication tokens, system logs, error logs, access logs, timestamps, device and integration identifiers)	Automatic processing of technical data generated during use of the Service and API integrations.	To ensure secure, reliable, and uninterrupted operation of the Service, including monitoring, troubleshooting, and incident prevention.
Usage and service performance data (usage statistics, transaction counts, system performance metrics)	Processing of aggregated or pseudonymised operational data related to the use of the Service.	To maintain, secure, and improve the Service, ensure capacity planning, and detect anomalies or abuse.
Backup and audit trail data (invoice versions, processing logs, status histories, recovery snapshots)	Creation and maintenance of backups, version history, and audit trails for invoice processing.	To ensure data integrity, traceability, business continuity, and disaster recovery in line with the Agreement.

Timescales for the keeping of Personal Data and the duration of the Processing
The Provider will keep Personal Data for as long as it is necessary to fulfil the above-listed and shall delete and procure the deletion of all copies of stored Personal Data within 30 (thirty) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement).

The processing will continue for the duration of Controller’s use of the Service, whereby most Processing takes place instantly after initiation by the Controller via the User dashboard.

Entities involved in the Processing
The Personal Data shall be processed via automatic means by the algorithms and models of the Service (offered by the Provider alone or through its Subprocessors). Provider Personnel shall only process Personal Data upon Controller request or when performing job related tasks that require the Processing of data (i.e. troubleshooting and when planning our next update or analysing systemic issues that Controllers or Workspace members have reported).

Approved Subprocessors
The following Subprocessors are hereby jointly approved by the Controller in relation to their sub-processing of the data in the provision of the Service under this DPA.

In accordance with this DPA, the Provider is instructed by the Controller to transfer Personal Data to the listed Subprocessors:

Subprocessor	Purpose and basis for processing	Country, location / protection of data
Contabo GmbH	Main service hosting and data storage. Processing of invoice data, technical data, and backups necessary for the operation and availability of the Service. Legal basis: Contractual – provision of the Service in accordance with the Agreement and Client instructions.	Subprocessor entity location: European Union. Server / processing location: European Union. Security measures: ISO 27001–aligned technical and organisational measures and data centre security controls implemented by the provider.
Cloudflare, Inc.	Public network security and performance. Processing of connection metadata (IP addresses, request headers, timestamps) for DDoS protection, firewalling, and traffic optimisation. Legal basis: Legitimate interest / contractual necessity – security and availability of the Service.	Subprocessor entity location: European Union (regional services). Server / processing location: European Union. Security measures: Industry-standard network security controls, encryption in transit, and access controls.
Vercel, Inc.	Website hosting and content delivery network (CDN). Processing of limited technical and usage data required to deliver the Website and web-based Service components. Legal basis: Contractual – operation and delivery of the Service.	Subprocessor entity location: European Union (EU hosting configuration). Server / processing location: European Union. Security measures: Encryption in transit, access controls, and infrastructure security measures implemented by the provider.
Google LLC (Google Workspace / Drive)	Storage of customer agreements and contractual documentation. Processing of business contact data and contract-related metadata. Legal basis: Contractual and legal obligation – record-keeping and contract management.	Subprocessor entity location: European Union (EU data region). Server / processing location: European Union. Security measures: ISO 27001 certified infrastructure, encryption at rest and in transit, access controls.
A-cube d.o.o.	Local e-invoicing service provider. Processing of invoice data for legally required invoice exchange with national systems. Legal basis: Contractual and legal obligation – statutory e-invoicing compliance.	Subprocessor entity location: European Union. Server / processing location: European Union. Security measures: Compliance with national e-invoicing regulations, secure transmission channels, access controls.
Invoice Portal	Local e-invoicing service provider. Processing of invoice data for cross-border or national invoice transmission. Legal basis: Contractual and legal obligation – statutory e-invoicing compliance.	Subprocessor entity location: European Union. Server / processing location: European Union. Security measures: Secure transmission protocols and regulatory compliance safeguards.
Link4 Pty Ltd	Local e-invoicing service provider (Australia). Processing of invoice data required for invoice delivery through Australian e-invoicing infrastructure. Legal basis: Contractual and legal obligation – provision of region-specific invoicing services.	Subprocessor entity location: Australia. Server / processing location: Australia. Protection of data: Transfers subject to appropriate safeguards under Chapter V GDPR (e.g. Standard Contractual Clauses). Security measures: Secure transmission channels and contractual confidentiality obligations.

Appendix 2: LIST OF TECHNICAL AND ORGANISATIONAL MEASURES OFFERED BY THE PROVIDER AND PROVIDER AFFILIATES FOR THE PROTECTION OF CONTROLLER PERSONAL DATA

1. PHYSICAL ACCESS CONTROL
The entrance to the common areas and the office is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees. Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed. Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee). Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed. Employees ensure that persons who are not employees of the company (e.g. customers, maintenance staff, business partners, etc.) do not enter the protected premises unattended, but only with the knowledge / presence of the responsible person.

1. PHYSICAL ACCESS CONTROL

The entrance to the common areas and the office is under supervision, with the key to the entrance of the office being held only by the head of the office, the director and any other supervising employees.

Cabinets, desks and other office furniture in which personal data carriers are kept and which are located outside the protected areas (corridors, common areas) are locked. The keys are kept by the employee who supervises the individual cabinet or desk at a designated place. Leaving keys in their locks is not allowed. Access to the protected premises is allowed only during regular working hours, whereby access at a different time is only allowed with the permission of the responsible person (supervising employee). Cabinets and desks containing personal data carriers are locked in protected rooms at the end of working hours or after the completion of work after working hours, while computers and other hardware are switched off and physically locked or locked through software. Leaving keys in their locks is not allowed.

Employees ensure that persons who are not employees of the company (e.g. customers, maintenance staff, business partners, etc.) do not enter the protected premises unattended, but only with the knowledge / presence of the responsible person.

2. PROTECTION OF SYSTEMS AND DATA CONTAINING PERSONAL DATA
2.1 Data centres and infrastructure security Personal data processed by the Service Provider is stored exclusively in data centres located within the European Union. The Service Provider uses physically secure data centres that meet recognised international security standards and employ multi-layered physical protection mechanisms. Data centre infrastructure includes redundancy to eliminate single points of failure and to minimise the impact of environmental or technical risks. Power systems are designed to operate continuously and are supported by uninterruptible power supplies (UPS) and backup generators to ensure availability of services 24 hours a day, 7 days a week. Preventative and corrective maintenance processes are implemented in a manner that does not interrupt service availability. 2.2 Network and transmission security Data centres are connected to the internet backbone through high-speed secure connections enabling encrypted data transmission between the Service Provider and users of the Service. All data in transit is protected using HTTPS encryption. The Service Provider employs intrusion detection and prevention measures to protect its external attack surface. These measures include controlling exposure points, implementing intelligent detection mechanisms at data entry points, and deploying automated response technologies to mitigate identified threats. Security incidents are continuously monitored, and the Service Provider’s security personnel respond promptly to detected events. 2.3 Physical and logical access control Access to data centres is strictly restricted to authorised personnel only and is controlled through identification and authorisation mechanisms. On-site security operations are maintained 24/7 to ensure physical protection of infrastructure. Access to systems and personal data is granted exclusively to personnel who require such access to perform their duties. Access rights are assigned according to the principle of least privilege and are reviewed regularly. All personnel receive security and confidentiality training and are bound by confidentiality obligations. Personnel are required to comply with internal security, privacy, and professional conduct policies. 2.4 Data storage, isolation, and retention Personal data is stored in a logically isolated, multi-tenant environment on servers contracted by the Service Provider. Customer Data is segregated through logical controls and, where applicable, replicated across geographically separated data centres to ensure availability and resilience. Personal data is retained only for the duration necessary to fulfil contractual obligations or as required by applicable legal and regulatory requirements. Administrative data (e.g. invoicing, communication, and contract records) is retained in accordance with statutory retention periods. 2.5 Data deletion and decommissioning When storage devices are decommissioned, they are subject to secure data destruction processes. In the event of hardware failure, storage devices are physically destroyed to prevent any unauthorised recovery of data. 2.6 Encryption and cryptographic controls Encryption and hashing mechanisms compliant with NIST-approved standards are used where appropriate. All data in transit is encrypted, backups are encrypted, and data stored in databases is encrypted or hashed depending on the use case (e.g. credentials and authentication data).

2. PROTECTION OF SYSTEMS AND DATA CONTAINING PERSONAL DATA

2.1 Data centres and infrastructure security
Personal data processed by the Service Provider is stored exclusively in data centres located within the European Union. The Service Provider uses physically secure data centres that meet recognised international security standards and employ multi-layered physical protection mechanisms. Data centre infrastructure includes redundancy to eliminate single points of failure and to minimise the impact of environmental or technical risks. Power systems are designed to operate continuously and are supported by uninterruptible power supplies (UPS) and backup generators to ensure availability of services 24 hours a day, 7 days a week. Preventative and corrective maintenance processes are implemented in a manner that does not interrupt service availability.

2.2 Network and transmission security
Data centres are connected to the internet backbone through high-speed secure connections enabling encrypted data transmission between the Service Provider and users of the Service. All data in transit is protected using HTTPS encryption. The Service Provider employs intrusion detection and prevention measures to protect its external attack surface. These measures include controlling exposure points, implementing intelligent detection mechanisms at data entry points, and deploying automated response technologies to mitigate identified threats. Security incidents are continuously monitored, and the Service Provider’s security personnel respond promptly to detected events.

2.3 Physical and logical access control
Access to data centres is strictly restricted to authorised personnel only and is controlled through identification and authorisation mechanisms. On-site security operations are maintained 24/7 to ensure physical protection of infrastructure. Access to systems and personal data is granted exclusively to personnel who require such access to perform their duties. Access rights are assigned according to the principle of least privilege and are reviewed regularly. All personnel receive security and confidentiality training and are bound by confidentiality obligations. Personnel are required to comply with internal security, privacy, and professional conduct policies.

2.4 Data storage, isolation, and retention
Personal data is stored in a logically isolated, multi-tenant environment on servers contracted by the Service Provider. Customer Data is segregated through logical controls and, where applicable, replicated across geographically separated data centres to ensure availability and resilience. Personal data is retained only for the duration necessary to fulfil contractual obligations or as required by applicable legal and regulatory requirements. Administrative data (e.g. invoicing, communication, and contract records) is retained in accordance with statutory retention periods.

2.5 Data deletion and decommissioning
When storage devices are decommissioned, they are subject to secure data destruction processes. In the event of hardware failure, storage devices are physically destroyed to prevent any unauthorised recovery of data.

2.6 Encryption and cryptographic controls
Encryption and hashing mechanisms compliant with NIST-approved standards are used where appropriate. All data in transit is encrypted, backups are encrypted, and data stored in databases is encrypted or hashed depending on the use case (e.g. credentials and authentication data).

3. HARDWARE AND SOFTWARE PROTECTION
Measures related to the organisation: Executed a DPIA assessment of the Service Engaged an external Data Protection Officer Determined appropriate access to databases based on job tasks and responsibilities, Adopted records of processing Adopted an internal Data Protection Security Policy Adopted a dedicated Data Protection Policy Measures related to human resources: Regular employee training Use of dedicated VPN system for remote work situations Measures related to network protection: Separate networks for development, other office tasks and guests Separate network accesses based on employee credentials and tasks Two-factor authentication for Google Cloud storage Measures related to hardware protection: Implemented specialised work stations and remote work computers Use of anti-virus software Use of employee log-in Measures related to software protection Use of separated development environments Use of “dummy data” (A full list of protective measures and processes from the Data Protection Policy that have been put in place in connection with the Service, shall be made available upon specific request).

3. HARDWARE AND SOFTWARE PROTECTION

Measures related to the organisation:

Executed a DPIA assessment of the Service
Engaged an external Data Protection Officer
Determined appropriate access to databases based on job tasks and responsibilities,
Adopted records of processing
Adopted an internal Data Protection Security Policy
Adopted a dedicated Data Protection Policy

Measures related to human resources:

Regular employee training
Use of dedicated VPN system for remote work situations

Measures related to network protection:

Separate networks for development, other office tasks and guests
Separate network accesses based on employee credentials and tasks
Two-factor authentication for Google Cloud storage

Measures related to hardware protection:

Implemented specialised work stations and remote work computers
Use of anti-virus software
Use of employee log-in

Measures related to software protection

Use of separated development environments
Use of “dummy data”

(A full list of protective measures and processes from the Data Protection Policy that have been put in place in connection with the Service, shall be made available upon specific request).